USM Anywhere™

IAM Roles and Permissions Required by Your AWS Sensor

The roles and permissions detailed below are required by the AWS services listed, on which your AWS Sensor relies.

During deployment, the AWS CloudFormation template provided by AT&T Cybersecurity automatically manages and assigns these as needed by your sensor.

The following table shows the IAM roles and permissions required by your AWS Sensor.

Warning: The sensor's capacity to extract the information will be endangered if you disable the below services. The sensor won't have permission to perform the disabled function.

IAM Roles and Permissions Required by Your AWS Sensor
Prerequisites Description
Amazon CloudWatch
  • "cloudwatch:Describe*"
  • "cloudwatch:Get*"
  • "cloudwatch:List*"
  • "logs:Describe*"
  • "logs:Get*"
  • "logs:TestMetricFilter*"
AWS CloudTrail
  • "cloudtrail:Describe*"
  • "cloudtrail:Get*"
  • "cloudtrail:List*"
AWS Elastic Load Balancing (ELB)
  • "elasticloadbalancing:Describe*"
Amazon Simple Storage Service (S3)
  • "s3:Get*"
  • "s3:List*"
Amazon EC2
  • "ec2:Describe*"
AWS IAM
  • "iam:List*"
  • "iam:Get*"
Amazon GuardDuty
  • "guardduty:Get*"
  • "guardduty:List*"
Amazon Relational Database Service (RDS)
  • "rds:Describe*"